http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8e20cf2bce122ce9262d6034ee5d5b76fbb92f96

SUSE-SU-2016:0911

SUSE-SU-2016:1102

SUSE-SU-2016:2074

DSA-3607

84288

USN-2967-1

USN-2967-2

USN-2968-1

USN-2968-2

USN-2969-1

USN-2970-1

USN-2971-1

USN-2971-2

USN-2971-3

https://bugzilla.redhat.com/show_bug.cgi?id=1285326

https://github.com/torvalds/linux/commit/8e20cf2bce122ce9262d6034ee5d5b76fbb92f96

https://security-tracker.debian.org/tracker/CVE-2015-7515

39544

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2     Voice Service driver for the Linux kernel 3.x, as used     in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to cause a denial of service (memory     corruption) or possibly have unspecified other impact     via a write request, as demonstrated by a     voice_svc_send_req buffer overflow.(CVE-2016-5343)

  - A use-after-free flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the     system.(CVE-2014-4655)

  - Race condition in the handle_to_path function in     fs/fhandle.c in the Linux kernel through 3.19.1 allows     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function.(CVE-2015-1420)

  - A flaw was found in the way the Linux kernel's keys     subsystem handled the termination condition in the     associative array garbage collection functionality. A     local, unprivileged user could use this flaw to crash     the system.(CVE-2014-3631)

  - A flaw was found in the ext4 subsystem. This     vulnerability is a use after free vulnerability was     found in __ext4_journal_stop(). Attackers could abuse     this to allow any code which attempts to deal with the     journal failure to be mishandled or not fail at all.
    This could lead to data corruption or     crashes.(CVE-2015-8961)

  - Buffer overflow in the oz_cdev_write function in     drivers/staging/ozwpan/ozcdev.c in the Linux kernel     before 3.12 allows local users to cause a denial of     service or possibly have unspecified other impact via a     crafted write operation.(CVE-2013-4513)

  - The nfnetlink_rcv_batch() function in     'net/netfilter/nfnetlink.c' in the Linux kernel before     4.5 does not check whether a batch message's length     field is large enough, which allows local users to     obtain sensitive information from kernel memory or     cause a denial of service (infinite loop or     out-of-bounds read) by leveraging the CAP_NET_ADMIN     capability.(CVE-2016-7917)

  - Array index error in the kvm_vm_ioctl_create_vcpu     function in virt/kvm/kvm_main.c in the KVM subsystem in     the Linux kernel through 3.12.5 allows local users to     gain privileges via a large id value.(CVE-2013-4587)

  - A leak of information was possible when issuing a     netlink command of the stack memory area leading up to     this function call. An attacker could use this to     determine stack information for use in a later     exploit.(CVE-2016-5243)

  - An issue was discovered in the Linux kernel in the F2FS     filesystem code. A NULL pointer dereference in     fscrypt_do_page_crypto() in the fs/crypto/crypto.c     function can occur when operating on a file on a     corrupted f2fs image.(CVE-2018-14616)

  - An out-of-bounds flaw was found in the kernel, where     the sco_sock_bind() function (bluetooth/sco) did not     check the length of its sockaddr parameter. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8575)

  - A denial of service vulnerability was found in the     WhiteHEAT USB Serial Driver (whiteheat_attach function     in drivers/usb/serial/whiteheat.c). In the driver, the     COMMAND_PORT variable was hard coded and set to 4 (5th     element). The driver assumed that the number of ports     would always be 5 and used port number 5 as the command     port. However, when using a USB device in which the     number of ports was set to a number less than 5 (for     example, 3), the driver triggered a kernel NULL-pointer     dereference. A non-privileged attacker could use this     flaw to panic the host.(CVE-2015-5257)

  - The LLC subsystem in the Linux kernel does not ensure     that a certain destructor exists in required     circumstances, which allows local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls.(CVE-2017-6345)

  - A vulnerability was found in Linux kernel. There is an     information leak in file sound/core/timer.c of the     latest mainline Linux kernel. The stack object 'r1' has     a total size of 32 bytes. Its field 'event' and 'val'     both contain 4 bytes padding. These 8 bytes padding     bytes are sent to user without being     initialized.(CVE-2016-4578)

  - An information leak flaw was found in the way the Linux     kernel changed certain segment registers and     thread-local storage (TLS) during a context switch. A     local, unprivileged user could use this flaw to leak     the user space TLS base address of an arbitrary     process.(CVE-2014-9419)

  - A flaw was found in the way memory was being allocated     on the stack for user space binaries. If heap (or     different memory region) and stack memory regions were     adjacent to each other, an attacker could use this flaw     to jump over the stack guard gap, cause controlled     memory corruption on process stack or the adjacent     memory region, and thus increase their privileges on     the system. This is a kernel-side mitigation which     increases the stack guard gap size from one page to 1     MiB to make successful exploitation of this issue more     difficult.(CVE-2017-1000364)

  - A flaw was found in the Linux kernel's handling of     clearing SELinux attributes on /proc/pid/attr files. An     empty (null) write to this file can crash the system by     causing the system to attempt to access unmapped kernel     memory.(CVE-2017-2618)

  - A use-after-free vulnerability was found in ALSA pcm     layer, which allows local users to cause a denial of     service, memory corruption, or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9794)

  - A flaw was found in the way the Linux kernel's floppy     driver handled user space provided data in certain     error code paths while processing FDRAWCMD IOCTL     commands. A local user with write access to /dev/fdX     could use this flaw to free (using the kfree()     function) arbitrary kernel memory. (CVE-2014-1737,     Important)t was found that the Linux kernel's floppy     driver leaked internal kernel memory addresses to user     space during the processing of the FDRAWCMD IOCTL     command. A local user with write access to /dev/fdX     could use this flaw to obtain information about the     kernel heap arrangement. (CVE-2014-1738, Low)Note: A     local user with write access to /dev/fdX could use     these two flaws (CVE-2014-1737 in combination with     CVE-2014-1738) to escalate their privileges on the     system.(CVE-2014-1737)

  - An out-of-bounds memory access flaw was found in the     Linux kernel's aiptek USB tablet driver (aiptek_probe()     function in drivers/input/tablet/aiptek.c). The driver     assumed that the interface always had at least one     endpoint. By using a specially crafted USB device with     no endpoints on one of its interfaces, an unprivileged     user with physical access to the system could trigger a     kernel NULL pointer dereference, causing the system to     panic.(CVE-2015-7515)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel handled     IRET faults during the processing of NMIs. An     unprivileged, local user could use this flaw to crash     the system or, potentially (although highly unlikely),     escalate their privileges on the system.(CVE-2015-5157)

  - A denial of service vulnerability was found in the     WhiteHEAT USB Serial Driver (whiteheat_attach function     in drivers/usb/serial/whiteheat.c). In the driver, the     COMMAND_PORT variable was hard coded and set to 4 (5th     element). The driver assumed that the number of ports     would always be 5 and used port number 5 as the command     port. However, when using a USB device in which the     number of ports was set to a number less than 5 (for     example, 3), the driver triggered a kernel NULL-pointer     dereference. A non-privileged attacker could use this     flaw to panic the host.(CVE-2015-5257)

  - A NULL pointer dereference flaw was found in the SCTP     implementation. A local user could use this flaw to     cause a denial of service on the system by triggering a     kernel panic when creating multiple sockets in parallel     while the system did not have the SCTP module     loaded.(CVE-2015-5283)

  - It was found that the x86 ISA (Instruction Set     Architecture) is prone to a denial of service attack     inside a virtualized environment in the form of an     infinite loop in the microcode due to the way     (sequential) delivering of benign exceptions such as     #AC (alignment check exception) is handled. A     privileged user inside a guest could use this flaw to     create denial of service conditions on the host     kernel.(CVE-2015-5307)

  - A flaw was found in the way the Linux kernel's     networking implementation handled UDP packets with     incorrect checksum values. A remote attacker could     potentially use this flaw to trigger an infinite loop     in the kernel, resulting in a denial of service on the     system, or cause a denial of service in applications     using the edge triggered epoll     functionality.(CVE-2015-5364)

  - A flaw was found in the way the Linux kernel's     networking implementation handled UDP packets with     incorrect checksum values. A remote attacker could     potentially use this flaw to trigger an infinite loop     in the kernel, resulting in a denial of service on the     system, or cause a denial of service in applications     using the edge triggered epoll     functionality.(CVE-2015-5366)

  - A cross-boundary flaw was discovered in the Linux     kernel software raid driver. The driver accessed a     disabled bitmap where only the first byte of the buffer     was initialized to zero. This meant that the rest of     the request (up to 4095 bytes) was left and copied into     user space. An attacker could use this flaw to read     private information from user space that would not     otherwise have been accessible.(CVE-2015-5697)

  - An integer-overflow vulnerability was found in the scsi     block-request handling code in function start_req(). A     local attacker could use specially crafted IOV requests     to overflow a counter used in bio_map_user_iov()'s page     calculation, and write past the end of the array that     contains kernel-page pointers.(CVE-2015-5707)

  - A flaw was found in the way the Linux kernel's vhost     driver treated userspace provided log file descriptor     when processing the VHOST_SET_LOG_FD ioctl command. The     file descriptor was never released and continued to     consume kernel memory. A privileged local user with     access to the /dev/vhost-net files could use this flaw     to create a denial-of-service attack.(CVE-2015-6252)

  - A flaw was found in the way the Linux kernel's perf     subsystem retrieved userlevel stack traces on PowerPC     systems. A local, unprivileged user could use this flaw     to cause a denial of service on the system by creating     a special stack layout that would force the     perf_callchain_user_64() function into an infinite     loop.(CVE-2015-6526)

  - A NULL-pointer dereference vulnerability was discovered     in the Linux kernel. The kernel's Reliable Datagram     Sockets (RDS) protocol implementation did not verify     that an underlying transport existed before creating a     connection to a remote server. A local system user     could exploit this flaw to crash the system by creating     sockets at specific times to trigger a NULL pointer     dereference.(CVE-2015-6937)

  - Multiple race conditions in the Advanced Union     Filesystem (aufs) aufs3-mmap.patch and aufs4-mmap.patch     patches for the Linux kernel 3.x and 4.x allow local     users to cause a denial of service (use-after-free and     BUG) or possibly gain privileges via a (1) madvise or     (2) msync system call, related to mm/madvise.c and     mm/msync.c.(CVE-2015-7312)

  - A divide-by-zero flaw was discovered in the Linux     kernel built with KVM virtualization     support(CONFIG_KVM). The flaw occurs in the KVM     module's Programmable Interval Timer(PIT) emulation,     when PIT counters for channel 1 or 2 are set to zero(0)     and a privileged user inside the guest attempts to read     these counters. A privileged guest user with access to     PIT I/O ports could exploit this issue to crash the     host kernel (denial of service).(CVE-2015-7513)

  - An out-of-bounds memory access flaw was found in the     Linux kernel's aiptek USB tablet driver (aiptek_probe()     function in drivers/input/tablet/aiptek.c). The driver     assumed that the interface always had at least one     endpoint. By using a specially crafted USB device with     no endpoints on one of its interfaces, an unprivileged     user with physical access to the system could trigger a     kernel NULL pointer dereference, causing the system to     panic.(CVE-2015-7515)

  - A NULL-pointer dereference flaw was found in the     kernel, which is caused by a race between revoking a     user-type key and reading from it. The issue could be     triggered by an unprivileged user with a local account,     causing the kernel to crash (denial of     service).(CVE-2015-7550)

  - A flaw was found in the way the Linux kernel visor     driver handles certain invalid USB device descriptors.
    The driver assumes that the device always has at least     one bulk OUT endpoint. By using a specially crafted USB     device (without a bulk OUT endpoint), an unprivileged     user with physical access could trigger a kernel     NULL-pointer dereference and cause a system panic     (denial of service).(CVE-2015-7566)

  - A race condition flaw was found in the way the Linux     kernel's IPC subsystem initialized certain fields in an     IPC object structure that were later used for     permission checking before inserting the object into a     globally visible list. A local, unprivileged user could     potentially use this flaw to elevate their privileges     on the system.(CVE-2015-7613)

  - A flaw was discovered in the Linux kernel where issuing     certain ioctl() -s commands to the '/dev/ppp' device     file could lead to a NULL pointer dereference. A     privileged user could use this flaw to cause a kernel     crash and denial of service.(CVE-2015-7799)

  - It was found that the Linux kernel's keys subsystem did     not correctly garbage collect uninstantiated keyrings.
    A local attacker could use this flaw to crash the     system or, potentially, escalate their privileges on     the system.(CVE-2015-7872)

  - A denial of service flaw was discovered in the Linux     kernel, where a race condition caused a NULL pointer     dereference in the RDS socket-creation code. A local     attacker could use this flaw to create a situation in     which a NULL pointer crashed the kernel.(CVE-2015-7990)

  - It was found that the x86 ISA (Instruction Set     Architecture) is prone to a denial of service attack     inside a virtualized environment in the form of an     infinite loop in the microcode due to the way     (sequential) delivering of benign exceptions such as     #DB (debug exception) is handled. A privileged user     inside a guest could use this flaw to create denial of     service conditions on the host kernel.(CVE-2015-8104)

  - It was found that the Linux kernel's IPv6 network stack     did not properly validate the value of the MTU variable     when it was set. A remote attacker could potentially     use this flaw to disrupt a target system's networking     (packet loss) by setting an invalid MTU value, for     example, via a NetworkManager daemon that is processing     router advertisement packets running on the target     system.(CVE-2015-8215)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various security and bug fixes. The following security bugs were fixed :

  - CVE-2016-4486: Fixed 4 byte information leak in     net/core/rtnetlink.c (bsc#978822).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948).

  - CVE-2016-2188: The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#970956).

  - CVE-2016-3138: The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a USB device without both a control and a data endpoint     descriptor (bnc#970911).

  - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions (bnc#970970).

  - CVE-2016-3140: The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970892).

  - CVE-2016-2186: The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970958).

  - CVE-2016-2185: The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#971124).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandles destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-2184: The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference or     double free, and system crash) via a crafted endpoints     value in a USB device descriptor (bnc#971125).

  - CVE-2016-3139: The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970909).

  - CVE-2016-2143: The fork implementation in the Linux     kernel on s390 platforms mishandled the case of four     page-table levels, which allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a crafted application,     related to arch/s390/include/asm/mmu_context.h and     arch/s390/include/asm/pgalloc.h (bnc#970504).

  - CVE-2016-2782: The treo_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a (1) bulk-in or (2) interrupt-in     endpoint (bnc#968670).

  - CVE-2015-8816: The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel did not     properly maintain a hub-interface data structure, which     allowed physically proximate attackers to cause a denial     of service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device (bnc#968010).

  - CVE-2015-7566: The clie_5_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a bulk-out endpoint (bnc#961512).

  - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel     did not prevent recursive callback access, which allowed     local users to cause a denial of service (deadlock) via     a crafted ioctl call (bnc#968013).

  - CVE-2016-2547: sound/core/timer.c in the Linux kernel     employed a locking approach that did not consider slave     timer instances, which allowed local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call (bnc#968011).

  - CVE-2016-2548: sound/core/timer.c in the Linux kernel     retained certain linked lists after a close or stop     action, which allowed local users to cause a denial of     service (system crash) via a crafted ioctl call, related     to the (1) snd_timer_close and (2) _snd_timer_stop     functions (bnc#968012).

  - CVE-2016-2546: sound/core/timer.c in the Linux kernel     used an incorrect type of mutex, which allowed local     users to cause a denial of service (race condition,     use-after-free, and system crash) via a crafted ioctl     call (bnc#967975).

  - CVE-2016-2545: The snd_timer_interrupt function in     sound/core/timer.c in the Linux kernel did not properly     maintain a certain linked list, which allowed local     users to cause a denial of service (race condition and     system crash) via a crafted ioctl call (bnc#967974).

  - CVE-2016-2544: Race condition in the queue_delete     function in sound/core/seq/seq_queue.c in the Linux     kernel allowed local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time (bnc#967973).

  - CVE-2016-2543: The snd_seq_ioctl_remove_events function     in sound/core/seq/seq_clientmgr.c in the Linux kernel     did not verify FIFO assignment before proceeding with     FIFO clearing, which allowed local users to cause a     denial of service (NULL pointer dereference and OOPS)     via a crafted ioctl call (bnc#967972).

  - CVE-2016-2384: Double free vulnerability in the     snd_usbmidi_create function in sound/usb/midi.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (panic) or possibly have     unspecified other impact via vectors involving an     invalid USB descriptor (bnc#966693).

  - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in     the Linux kernel did not properly identify error     conditions, which allowed remote attackers to execute     arbitrary code or cause a denial of service     (use-after-free) via crafted packets (bnc#966437).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in     the Linux kernel .4.1 allowed local users to gain     privileges by triggering access to a paging structure by     a different CPU (bnc#963767).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call (bnc#961509).

  - CVE-2015-7515: The aiptek_probe function in     drivers/input/tablet/aiptek.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted USB device that lacks endpoints     (bnc#956708).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272 (bnc#955354).

  - CVE-2015-7550: The keyctl_read_key function in     security/keys/keyctl.c in the Linux kernel did not     properly use a semaphore, which allowed local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted application that leverages a race     condition between keyctl_revoke and keyctl_read calls     (bnc#958951).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8575: The sco_sock_bind function in     net/bluetooth/sco.c in the Linux kernel did not verify     an address length, which allowed local users to obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism via a crafted application     (bnc#959399).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2015-8539: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (BUG) via crafted keyctl commands that     negatively instantiate a key, related to     security/keys/encrypted-keys/encrypted.c,     security/keys/trusted.c, and     security/keys/user_defined.c (bnc#958463).

  - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (system crash) via a crafted no-journal     filesystem, a related issue to CVE-2013-2015     (bnc#956709).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #DB (aka     Debug) exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (host OS panic or hang) by triggering many #AC (aka     Alignment Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2015-7990: Race condition in the rds_sendmsg     function in net/rds/sendmsg.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#952384).

  - CVE-2015-7872: The key_gc_unused_keys function in     security/keys/gc.c in the Linux kernel allowed local     users to cause a denial of service (OOPS) via crafted     keyctl commands (bnc#951440).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

  - CVE-2015-6252: The vhost_dev_ioctl function in     drivers/vhost/vhost.c in the Linux kernel allowed local     users to cause a denial of service (memory consumption)     via a VHOST_SET_LOG_FD ioctl call that triggers     permanent file-descriptor allocation (bnc#942367).

  - CVE-2015-3339: Race condition in the prepare_binprm     function in fs/exec.c in the Linux kernel allowed local     users to gain privileges by executing a setuid program     at a time instant when a chown to root is in progress,     and the ownership is changed but the setuid bit is not     yet stripped (bnc#928130).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-7515, CVE-2016-2184, CVE-2016-2185,     CVE-2016-2186, CVE-2016-2187, CVE-2016-3136,     CVE-2016-3137, CVE-2016-3138, CVE-2016-3140     Ralf Spenneberg of OpenSource Security reported that     various USB drivers do not sufficiently validate USB     descriptors. This allowed a physically present user with     a specially designed USB device to cause a denial of     service (crash).

  - CVE-2016-0821     Solar Designer noted that the list 'poisoning' feature,     intended to mitigate the effects of bugs in list     manipulation in the kernel, used poison values within     the range of virtual addresses that can be allocated by     user processes.

  - CVE-2016-1237     David Sinquin discovered that nfsd does not check     permissions when setting ACLs, allowing users to grant     themselves permissions to a file by setting the ACL.

  - CVE-2016-1583     Jann Horn of Google Project Zero reported that the     eCryptfs filesystem could be used together with the proc     filesystem to cause a kernel stack overflow. If the     ecryptfs-utils package is installed, local users could     exploit this, via the mount.ecryptfs_private program,     for denial of service (crash) or possibly for privilege     escalation.

  - CVE-2016-2117     Justin Yackoski of Cryptonite discovered that the     Atheros L2 ethernet driver incorrectly enables     scatter/gather I/O. A remote attacker could take     advantage of this flaw to obtain potentially sensitive     information from kernel memory.

  - CVE-2016-2143     Marcin Koscielnicki discovered that the fork     implementation in the Linux kernel on s390 platforms     mishandles the case of four page-table levels, which     allows local users to cause a denial of service (system     crash).

  - CVE-2016-3070     Jan Stancek of Red Hat discovered a local denial of     service vulnerability in AIO handling.

  - CVE-2016-3134     The Google Project Zero team found that the netfilter     subsystem does not sufficiently validate filter table     entries. A user with the CAP_NET_ADMIN capability could     use this for denial of service (crash) or possibly for     privilege escalation. Debian disables unprivileged user     namespaces by default, if locally enabled with the     kernel.unprivileged_userns_clone sysctl, this allows     privilege escalation.

  - CVE-2016-3156     Solar Designer discovered that the IPv4 implementation     in the Linux kernel did not perform the destruction of     inet device objects properly. An attacker in a guest OS     could use this to cause a denial of service (networking     outage) in the host OS.

  - CVE-2016-3157 / XSA-171     Andy Lutomirski discovered that the x86_64 (amd64) task     switching implementation did not correctly update the     I/O permission level when running as a Xen paravirtual     (PV) guest. In some configurations this would allow     local users to cause a denial of service (crash) or to     escalate their privileges within the guest.

  - CVE-2016-3672     Hector Marco and Ismael Ripoll noted that it was     possible to disable Address Space Layout Randomisation     (ASLR) for x86_32 (i386) programs by removing the stack     resource limit. This made it easier for local users to     exploit security flaws in programs that have the setuid     or setgid flag set.

  - CVE-2016-3951     It was discovered that the cdc_ncm driver would free     memory prematurely if certain errors occurred during its     initialisation. This allowed a physically present user     with a specially designed USB device to cause a denial     of service (crash) or possibly to escalate their     privileges.

  - CVE-2016-3955     Ignat Korchagin reported that the usbip subsystem did     not check the length of data received for a USB buffer.
    This allowed denial of service (crash) or privilege     escalation on a system configured as a usbip client, by     the usbip server or by an attacker able to impersonate     it over the network. A system configured as a usbip     server might be similarly vulnerable to physically     present users.

  - CVE-2016-3961 / XSA-174     Vitaly Kuznetsov of Red Hat discovered that Linux     allowed the use of hugetlbfs on x86 (i386 and amd64)     systems even when running as a Xen paravirtualised (PV)     guest, although Xen does not support huge pages. This     allowed users with access to /dev/hugepages to cause a     denial of service (crash) in the guest.

  - CVE-2016-4470     David Howells of Red Hat discovered that a local user     can trigger a flaw in the Linux kernel's handling of key     lookups in the keychain subsystem, leading to a denial     of service (crash) or possibly to privilege escalation.

  - CVE-2016-4482, CVE-2016-4485, CVE-2016-4486,     CVE-2016-4569, CVE-2016-4578, CVE-2016-4580,     CVE-2016-5243, CVE-2016-5244

    Kangjie Lu reported that the USB devio, llc, rtnetlink,     ALSA timer, x25, tipc, and rds facilities leaked     information from the kernel stack.

  - CVE-2016-4565     Jann Horn of Google Project Zero reported that various     components in the InfiniBand stack implemented unusual     semantics for the write() operation. On a system with     InfiniBand drivers loaded, local users could use this     for denial of service or privilege escalation.

  - CVE-2016-4581     Tycho Andersen discovered that in some situations the     Linux kernel did not handle propagated mounts correctly.
    A local user can take advantage of this flaw to cause a     denial of service (system crash).

  - CVE-2016-4805     Baozeng Ding discovered a use-after-free in the generic     PPP layer in the Linux kernel. A local user can take     advantage of this flaw to cause a denial of service     (system crash), or potentially escalate their     privileges.

  - CVE-2016-4913     Al Viro found that the ISO9660 filesystem implementation     did not correctly count the length of certain invalid     name entries. Reading a directory containing such name     entries would leak information from kernel memory. Users     permitted to mount disks or disk images could use this     to obtain sensitive information.

  - CVE-2016-4997 / CVE-2016-4998     Jesse Hertz and Tim Newsham discovered that missing     input sanitising in Netfilter socket handling may result     in denial of service. Debian disables unprivileged user     namespaces by default, if locally enabled with the     kernel.unprivileged_userns_clone sysctl, this also     allows privilege escalation.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-2971-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ben Hawkes discovered that the Linux kernel's AIO interface allowed single writes greater than 2GB, which could cause an integer overflow when writing to certain filesystems, socket or device types. A local attacker could this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8830)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ben Hawkes discovered that the Linux kernel's AIO interface allowed single writes greater than 2GB, which could cause an integer overflow when writing to certain filesystems, socket or device types. A local attacker could this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8830)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-2968-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ben Hawkes discovered that the Linux kernel's AIO interface allowed single writes greater than 2GB, which could cause an integer overflow when writing to certain filesystems, socket or device types. A local attacker could this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8830)

It was discovered that the Linux kernel did not keep accurate track of pipe buffer details when error conditions occurred, due to an incomplete fix for CVE-2015-1805. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0774)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ben Hawkes discovered that the Linux kernel's AIO interface allowed single writes greater than 2GB, which could cause an integer overflow when writing to certain filesystems, socket or device types. A local attacker could this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8830)

It was discovered that the Linux kernel did not keep accurate track of pipe buffer details when error conditions occurred, due to an incomplete fix for CVE-2015-1805. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0774)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2186)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the MCT USB RS232 Converter device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Cypress M8 USB device driver in the Linux kernel did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash).
(CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the USB abstract device control driver for modems and ISDN adapters did not validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the Linux kernel's USB driver for Digi AccelePort serial converters did not properly validate USB device descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not perform the destruction of inet device objects properly. An attacker in a guest OS could use this to cause a denial of service (networking outage) in the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context- switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use this to cause a denial of service (guest OS crash), gain privileges, or obtain sensitive information. (CVE-2016-3157)

It was discovered that the Linux kernel's USB driver for IMS Passenger Control Unit devices did not properly validate the device's interfaces. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3689).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly enforce rlimits for file descriptors sent over UNIX domain sockets. A local attacker could use this to cause a denial of service. (CVE-2013-4312)

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7515)

Ralf Spenneberg discovered that the USB driver for Clie devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7566)

Ralf Spenneberg discovered that the usbvision driver in the Linux kernel did not properly sanity check the interfaces and endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2015-7833)

It was discovered that a race condition existed when handling heartbeat- timeout events in the SCTP implementation of the Linux kernel. A remote attacker could use this to cause a denial of service.
(CVE-2015-8767)

Venkatesh Pottem discovered a use-after-free vulnerability in the Linux kernel's CXGB3 driver. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

It was discovered that a race condition existed in the ioctl handler for the TTY driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2016-0723)

It was discovered that the Linux kernel did not keep accurate track of pipe buffer details when error conditions occurred, due to an incomplete fix for CVE-2015-1805. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0774)

Zach Riggle discovered that the Linux kernel's list poison feature did not take into account the mmap_min_addr value. A local attacker could use this to bypass the kernel's poison-pointer protection mechanism while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB) handling of flush events. A local attacker could use this to cause a denial of service or possibly leak sensitive information. (CVE-2016-2069)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework did not verify that a FIFO was attached to a client before attempting to clear it. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2543)

Dmitry Vyukov discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) framework between timer setup and closing of the client, resulting in a use-after-free. A local attacker could use this to cause a denial of service. (CVE-2016-2544)

Dmitry Vyukov discovered a race condition in the timer handling implementation of the Advanced Linux Sound Architecture (ALSA) framework, resulting in a use-after-free. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-2545)

Dmitry Vyukov discovered race conditions in the Advanced Linux Sound Architecture (ALSA) framework's timer ioctls leading to a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-2546)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers did not properly manage its data structures. A local attacker could use this to cause a denial of service (system hang or crash) or possibly execute arbitrary code. (CVE-2016-2547, CVE-2016-2548)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers could lead to a deadlock condition. A local attacker could use this to cause a denial of service (system hang). (CVE-2016-2549)

Ralf Spenneberg discovered that the USB driver for Treo devices in the Linux kernel did not properly sanity check the endpoints reported by the device. An attacker with physical access could cause a denial of service (system crash). (CVE-2016-2782)

It was discovered that the Linux kernel did not enforce limits on the amount of data allocated to buffer pipes. A local attacker could use this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (system crash) via a crafted no-journal     filesystem, a related issue to CVE-2013-2015     (bnc#956707).

  - CVE-2015-7515: An out of bounds memory access in the     aiptek USB driver could be used by physical local     attackers to crash the kernel (bnc#956708).

  - CVE-2015-7550: The keyctl_read_key function in     security/keys/keyctl.c in the Linux kernel did not     properly use a semaphore, which allowed local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted application that leverages a race     condition between keyctl_revoke and keyctl_read calls     (bnc#958951).

  - CVE-2015-7566: A malicious USB device could cause kernel     crashes in the visor device driver (bnc#961512).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel did not     ensure that certain slot numbers are valid, which     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is     limited to the NetworkManager product (bnc#955354).

  - CVE-2015-8539: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (BUG) via crafted keyctl commands that     negatively instantiate a key, related to     security/keys/encrypted-keys/encrypted.c,     security/keys/trusted.c, and     security/keys/user_defined.c (bnc#958463).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2015-8550: Optimizations introduced by the compiler     could have lead to double fetch vulnerabilities,     potentially possibly leading to arbitrary code execution     in backend (bsc#957988). (bsc#957988 XSA-155).

  - CVE-2015-8551: The PCI backend driver in Xen, when     running on an x86 system and using Linux as the driver     domain, allowed local guest administrators to hit BUG     conditions and cause a denial of service (NULL pointer     dereference and host OS crash) by leveraging a system     with access to a passed-through MSI or MSI-X capable     physical PCI device and a crafted sequence of     XEN_PCI_OP_* operations, aka 'Linux pciback missing     sanity checks (bnc#957990).

  - CVE-2015-8552: The PCI backend driver in Xen, when     running on an x86 system and using Linux as the driver     domain, allowed local guest administrators to generate a     continuous stream of WARN messages and cause a denial of     service (disk consumption) by leveraging a system with     access to a passed-through MSI or MSI-X capable physical     PCI device and XEN_PCI_OP_enable_msi operations, aka     'Linux pciback missing sanity checks (bnc#957990).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     do not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8575: The sco_sock_bind function in     net/bluetooth/sco.c in the Linux kernel did not verify     an address length, which allowed local users to obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism via a crafted application     (bnc#959399).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call (bnc#961509).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2015-8812: A flaw was found in the CXGB3 kernel     driver when the network was considered congested. The     kernel would incorrectly misinterpret the congestion as     an error condition and incorrectly free/clean up the     skb. When the device would then send the skb's queued,     these structures would be referenced and may panic the     system or allow an attacker to escalate privileges in a     use-after-free scenario.(bsc#966437).

  - CVE-2015-8816: A malicious USB device could cause kernel     crashes in the in hub_activate() function (bnc#968010).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2016-2069: A race in invalidating paging structures     that were not in use locally could have lead to     disclosoure of information or arbitrary code exectution     (bnc#963767).

  - CVE-2016-2143: On zSeries a fork of a large process     could have caused memory corruption due to incorrect     page table handling. (bnc#970504, LTC#138810).

  - CVE-2016-2184: A malicious USB device could cause kernel     crashes in the alsa usb-audio device driver     (bsc#971125).

  - CVE-2016-2185: A malicious USB device could cause kernel     crashes in the usb_driver_claim_interface function     (bnc#971124).

  - CVE-2016-2186: A malicious USB device could cause kernel     crashes in the powermate device driver (bnc#970958).

  - CVE-2016-2384: A double free on the ALSA umidi object     was fixed. (bsc#966693).

  - CVE-2016-2543: A missing NULL check at remove_events     ioctl in the ALSA seq driver was fixed. (bsc#967972).

  - CVE-2016-2544: Fix race at timer setup and close in the     ALSA seq driver was fixed. (bsc#967973).

  - CVE-2016-2545: A double unlink of active_list in the     ALSA timer driver was fixed. (bsc#967974).

  - CVE-2016-2546: A race among ALSA timer ioctls was fixed     (bsc#967975).

  - CVE-2016-2547,CVE-2016-2548: The ALSA slave timer list     handling was hardened against hangs and races.
    (CVE-2016-2547,CVE-2016-2548,bsc#968011,bsc#968012).

  - CVE-2016-2549: A stall in ALSA hrtimer handling was     fixed (bsc#968013).

  - CVE-2016-2782: A malicious USB device could cause kernel     crashes in the visor device driver (bnc#968670).

  - CVE-2016-3137: A malicious USB device could cause kernel     crashes in the cypress_m8 device driver (bnc#970970).

  - CVE-2016-3139: A malicious USB device could cause kernel     crashes in the wacom device driver (bnc#970909).

  - CVE-2016-3140: A malicious USB device could cause kernel     crashes in the digi_acceleport device driver     (bnc#970892).

  - CVE-2016-3156: A quadratic algorithm could lead to long     kernel ipv4 hangs when removing a device with a large     number of addresses. (bsc#971360).

  - CVE-2016-3955: A remote buffer overflow in the usbip     driver could be used by authenticated attackers to crash     the kernel. (bsc#975945)

  - CVE-2016-2847: A local user could exhaust kernel memory     by pushing lots of data into pipes. (bsc#970948).

  - CVE-2016-2188: A malicious USB device could cause kernel     crashes in the iowarrior device driver (bnc#970956).

  - CVE-2016-3138: A malicious USB device could cause kernel     crashes in the cdc-acm device driver (bnc#970911).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.

Following feature was added to kernel-xen :

  - A improved XEN blkfront module was added, which allows     more I/O bandwidth. (FATE#320200) It is called     xen-blkfront in PV, and xen-vbd-upstream in HVM mode.

The following security bugs were fixed :

  - CVE-2013-7446: Use-after-free vulnerability in     net/unix/af_unix.c in the Linux kernel allowed local     users to bypass intended AF_UNIX socket permissions or     cause a denial of service (panic) via crafted epoll_ctl     calls (bnc#955654).

  - CVE-2015-7515: An out of bounds memory access in the     aiptek USB driver could be used by physical local     attackers to crash the kernel (bnc#956708).

  - CVE-2015-7550: The keyctl_read_key function in     security/keys/keyctl.c in the Linux kernel did not     properly use a semaphore, which allowed local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted application that leverages a race     condition between keyctl_revoke and keyctl_read calls     (bnc#958951).

  - CVE-2015-8539: The KEYS subsystem in the Linux kernel     allowed local users to gain privileges or cause a denial     of service (BUG) via crafted keyctl commands that     negatively instantiate a key, related to     security/keys/encrypted-keys/encrypted.c,     security/keys/trusted.c, and     security/keys/user_defined.c (bnc#958463).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2015-8550: Compiler optimizations in the XEN PV     backend drivers could have lead to double fetch     vulnerabilities, causing denial of service or arbitrary     code execution (depending on the configuration)     (bsc#957988).

  - CVE-2015-8551, CVE-2015-8552: xen/pciback: For     XEN_PCI_OP_disable_msi[|x] only disable if device has     MSI(X) enabled (bsc#957990).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8575: The sco_sock_bind function in     net/bluetooth/sco.c in the Linux kernel did not verify     an address length, which allowed local users to obtain     sensitive information from kernel memory and bypass the     KASLR protection mechanism via a crafted application     (bnc#959190 bnc#959399).

  - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux     kernel did not properly manage the relationship between     a lock and a socket, which allowed local users to cause     a denial of service (deadlock) via a crafted sctp_accept     call (bnc#961509).

  - CVE-2015-8785: The fuse_fill_write_pages function in     fs/fuse/file.c in the Linux kernel allowed local users     to cause a denial of service (infinite loop) via a     writev system call that triggers a zero length for the     first segment of an iov (bnc#963765).

  - CVE-2015-8812: A use-after-free flaw was found in the     CXGB3 kernel driver when the network was considered to     be congested. This could be used by local attackers to     cause machine crashes or potentially code execution     (bsc#966437).

  - CVE-2016-0723: Race condition in the tty_ioctl function     in drivers/tty/tty_io.c in the Linux kernel allowed     local users to obtain sensitive information from kernel     memory or cause a denial of service (use-after-free and     system crash) by making a TIOCGETD ioctl call during     processing of a TIOCSETD ioctl call (bnc#961500).

  - CVE-2016-2069: Race conditions in TLB syncing was fixed     which could leak to information leaks (bnc#963767).

  - CVE-2016-2384: Removed a double free in the ALSA     usb-audio driver in the umidi object which could lead to     crashes (bsc#966693).

  - CVE-2016-2543: Added a missing NULL check at     remove_events ioctl in ALSA that could lead to crashes.
    (bsc#967972).

  - CVE-2016-2544, CVE-2016-2545, CVE-2016-2546,     CVE-2016-2547, CVE-2016-2548, CVE-2016-2549: Various     race conditions in ALSAs timer handling were fixed.
    (bsc#967975, bsc#967974, bsc#967973, bsc#968011,     bsc#968012, bsc#968013).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.2.7 stable update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
125301	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1508)	Nessus	Huawei Local Security Checks	high
124812	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1488)	Nessus	Huawei Local Security Checks	high
93289	SUSE SLES11 Security Update : kernel (SUSE-SU-2016:2074-1)	Nessus	SuSE Local Security Checks	critical
91886	Debian DSA-3607-1 : linux - security update	Nessus	Debian Local Security Checks	critical
91094	Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-2971-3)	Nessus	Ubuntu Local Security Checks	high
91093	Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-2971-2)	Nessus	Ubuntu Local Security Checks	high
91092	Ubuntu 15.10 : linux vulnerabilities (USN-2971-1)	Nessus	Ubuntu Local Security Checks	high
91091	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2970-1)	Nessus	Ubuntu Local Security Checks	high
91090	Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2969-1)	Nessus	Ubuntu Local Security Checks	high
91089	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2968-2)	Nessus	Ubuntu Local Security Checks	high
91088	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2968-1)	Nessus	Ubuntu Local Security Checks	high
91087	Ubuntu 12.04 LTS : linux vulnerabilities (USN-2967-1)	Nessus	Ubuntu Local Security Checks	critical
90884	SUSE SLES11 Security Update : kernel (SUSE-SU-2016:1203-1)	Nessus	SuSE Local Security Checks	critical
90264	SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2016:0911-1)	Nessus	SuSE Local Security Checks	critical
89399	Fedora 22 : kernel-4.2.7-200.fc22 (2015-c4ed00a68f)	Nessus	Fedora Local Security Checks	medium
89366	Fedora 23 : kernel-4.2.7-300.fc23 (2015-ac9a19888e)	Nessus	Fedora Local Security Checks	medium

CVE-2015-7515

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins